Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Web Services Certification (SCDJWS/OCEJWSD) and the fly likes configure <auth-constraint> for access control Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Services Certification (SCDJWS/OCEJWSD)
Bookmark "configure <auth-constraint> for access control " Watch "configure <auth-constraint> for access control " New topic
Author

configure <auth-constraint> for access control

Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 741
From Ivan's note p.246-248, in order configure access control on the server side, the web.xml should define something like this:
<auth-contraint>
<role-name>user</role-name>
</auth-contraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>

The sun-web.xml should define something like this:
<security-role-mapping>
<role-name>user</role-name>
<group-name>wsit</group-name>
</security-role-mapping>

My question is what if there are thousands of users who are granted access control? Should we define thousands of <role-name> for <auth-contraint> and etc?
And should we define thousands of <security-role-mapping> in sun-web.xml for each <role-name> in web.xml?

Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1665
    
  25

You might want to read the security part from the EE6-tutorial, especially Working with Realms, Users, Groups, and Roles

Regards,
Frits
Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 741
After reading the tutorial, it says to define role in the sun-web.xml , not individual users.
That makes more sense now. "Role" means the role of the individual users. Example of roles: students, admin, teacher and etc. Each student are in "students" role.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: configure <auth-constraint> for access control